From 0993f9d83532422d1ca35a924b7eea417df3b0be Mon Sep 17 00:00:00 2001
From: Jason Tackaberry <tack@urandom.ca>
Date: Sat, 6 Jan 2024 18:45:51 -0500
Subject: [PATCH] Don't require static credentials for S3 access

---
 aws/s3.go | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/aws/s3.go b/aws/s3.go
index ecabc44e..307e0df0 100644
--- a/aws/s3.go
+++ b/aws/s3.go
@@ -120,12 +120,18 @@ func (s *S3Client) Download(ctx context.Context, writer io.WriterAt) error {
 }
 
 func (s *S3Client) createSession() (*session.Session, error) {
-	sess, err := session.NewSession(&aws.Config{
+	cfg := aws.Config{
 		Endpoint:         aws.String(s.endpoint),
 		Region:           aws.String(s.region),
-		Credentials:      credentials.NewStaticCredentials(s.accessKey, s.secretKey, ""),
 		S3ForcePathStyle: aws.Bool(s.forcePathStyle),
-	})
+	}
+	// If credentials aren't provided by the user, the AWS SDK will use the default
+	// credential provider chain, which supports environment variables, shared credentials
+	// file, and EC2 instance roles.
+	if s.accessKey != "" && s.secretKey != "" {
+		cfg.Credentials = credentials.NewStaticCredentials(s.accessKey, s.secretKey, "")
+	}
+	sess, err := session.NewSession(&cfg)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create S3 session: %w", err)
 	}